Skip to content

The More Things Change, the More They Stay the Same

April 17, 2009

Verizon recently published their 2009 Data Breach Investigations Report, and the results — although not particularly surprising – paint a still-bleak picture of how organizations fail to properly protect themselves against data breaches.  First, let’s look at some stats around the attack vectors and malicious users.  Although most (67%) of data breaches involved hacking (which may or may not include active malware), there was a significant uptick (by 7%) in attacks involving privilege misuse — and this is clearly validated in the Privacy Rights Clearinghouse database of reported breaches, where there’s been an alarming uptick in personnel selling credit card data, social security numbers, and other private data to third parties.  Moreover, the biggest change in attack profiles is the significant increase in multi-party breaches, suggesting either collusion between internal employees and contractors, or between internal personnel and external parties.

But regardless of preferred attack vectors and attacker profiles (which organizations have relatively little influence over), the most telling statistic in the entire report relates to implemented security controls (which organizations most definitely do have influence over): 87% of data breaches were considered avoidable through simple or intermediate controls.

So if these controls are so easy to implement, why aren’t organizations doing so?  Information security, to borrow a common turn of phrase, is not rocket science.  Lots of sources out there (such as the Verizon report) give us a good, empirically-based understanding of who’s trying to get at our data, and how they’re doing it.  Organizations need to start getting better at implementing security controls, and especially the kind of low-hanging fruit singled-out by Verizon: monitoring, and especially for attacks over time.  According to the Verizon report, in over 50% of data breaches, the attacker (person or code) wandered around for a period of time between days and months before data was compromised.  And, in almost 50% of data breaches the amount of time it took for organizations to discover the breach of their data was measured in months.

Monitoring is the Achilles heel of most security programs — especially those driven by compliance standards or other mandates – because people tend to view compliance as a point-in-time event, rather than an ongoing process.  That’s not the case.  PCI DSS, SOX, FISMA — they all require covered entities to continuously monitor the security profile of their systems.  Any organization that views PCI DSS (for example) as a checklist exercise is simply begging to be breached.  Moreover, you have to have tools that can correlate data over time.  Low-and-slow attack profiles are intentionally designed to avoid point solutions that look at only one type of data; you need to be able to correlate across multiple types of data, or as we like to say around here, log data is not enough!

No comments yet

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: